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DETAILED ACTION 

1 . Claims 1-30 are pending in tliis application and have been examined in response 
to application amendment filed on 02/09/2010. 

2. The previously applied rejection under USC 1 12 is hereby withdrawn in view of 
applicant's amendment. 

3. The previously applied rejection under USC 101 is hereby withdrawn in view of 
applicant's amendment. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the Invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

5. Claim 1, 3-4, 12-13, 15, 17-18 and 26-27 are rejected under 35 U.S.C. 102(b) 
as being anticipated by Boebert et al. (Boebert, US 5,822,435) in view of Gulick et 
al. (Gulick, US 6,314,501 B1). 

6. As to independent claim 1 , Boebert discloses a method for maintaining the 
security of data displayed on a display for a system comprising a secured execution 
environment and a second execution environment the method comprising: operating, on 
the system the second execution environment concurrently with the secured execution 
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environment, tlie secure execution environment comprising a nexus and the second 
execution environment comprising a different operating system (fjg.2; col .4, lines 33-45; 
a multilevel trusted path operating system "30", "60" is running with a 
second/workstation operating system "40" to form a secure networked computer 
system; fig. 6; col. 9, lines 7-16; during a secured/trusted execution environment, 
secured/trusted information overlays some parts of the second/workstation 
environment, displaying both information concurrently on the display), wherein the 
nexus and different operating system share a window manager (fig.5; col.8, lines 50-63; 
both the secure execution environment and the second execution environment shares a 
video manager "34", wherein a video multiplexer "76" within in the video manager "34" 
is used during the second execution environment, and a video RAM "74" within in the 
video manager "34" is used during the secure execution environment); 

storing an image of at least one graphical user interface element of said nexus, 
said at least one nexus graphical user interface element (col.5, lines 33-36; "trusted 
window") being associated with a first process running on said secured execution 
environment (col.5, lines 14-18; "trusted path mode"); and 

displaying said nexus graphical user interface element on said display completely 
on a display, such that no part of said nexus graphical user interface element is 
obscured by a graphical user interface element associated with said different operating 
system (fig.2, a trusted subsystem "67" that includes a cryptographic entity "69" is 
different from a untrusted subsystem "63"; col.4, lines 51-55) of said second execution 
environment on said display (col.5, lines 33-43; no parts of the nexus GUI is obscured 
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because the nexus GUI is "overlaid" on top of the screen display). Boebert does not 
disclose [the system is] a single computer. 

In the same field of endeavor, Gulick discloses [the system is] a single computer (col.2. 
lines 45-50). 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick before him at the time the invention was made, to modify the multi- 
leveled security environment interface taught by Boebert to be included in a single 
computer architecture taught by Gulick with the motivation to reduce the hardware 
overhead by integrating multi-leveled security environments under a single computer 
architecture (Gulick, col.2, lines 32-43). 

7. As to claim 3, Boebert discloses displaying said nexus graphical user interface 
element such that no part of said nexus graphical user interface element is obscured by 
a graphical user interface element associated with a second process running on said 
secured execution environment (col. 5, lines 33-43; no parts of the nexus GUI is 
obscured because the nexus GUI is "overlaid" on top of the screen display). 

8. As to claim 4, Boebert discloses displaying only graphical user interface 
elements on display upon receipt of a user secure display indication (col.5, lines 27-32). 
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9. As to independent claim 1 2, Boebert discloses a method for maintaining the 
security of data displayed on a display for a system comprising a secured execution 
environment and a second execution environment, the method comprising: operating, 
on the system, the second execution environment concurrently with the secured 
execution environment, the secure execution environment comprising a nexus and the 
second execution environment comprising a different operating system, wherein the 
nexus and different operating system share a window manager (fig.2, a trusted sub 
operating system "67" that Includes a cryptographic entity "69" Is different from an 
untrusted sub operating system "63"; col.4, lines 51-55; col.5, lines 34-42; col. 8, lines 
45-50; during a secured/trusted execution environment, secured/trusted information 
overlays some parts of the unsecure/untrusted environment, displaying both information 
concurrently); 

storing public title information and private title information for a graphical user 
interface element of said nexus, the nexus graphical user interface element being 
associated with a process running on said secured execution environment; using said 
private title information for window management functions on said secured execution 
environment when displaying said nexus graphical user Interface element; and 
providing said public title information for use in said second execution environment 
(col.5, lines 33-43; col.7, lines 20-25; col.8, lines 45-50; private title information is 
contained in secret information, and the public title information is contained in the 
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unclassified information in order to prevent data of different security level from being 
mixed). 

1 0. As to claim 1 3, Boebert discloses the window manager comprising a host window 
manager (fig. 5; col. 8, lines 50-63; "video manager"), where said second execution 
environment includes said host window manager for managing graphical user interface 
elements on said display, where said host window manager creates a shadow graphical 
user interface element for said nexus graphical user interface element, and where said 
public title is used by said host window manager (col. 5, lines 33-43; col. 7, lines 20-25; 
col. 8, lines 45-50; private title information is contained in secret information, and the 
public title information is contained in the unclassified information in order to prevent 
data of different security level from being mixed.). 

11. As to independent claim 15, see rationale addressed in the rejection of claim 1 
above. 

12. As to claim 17, see rationale addressed in the rejection of claim 3 above. 

1 3. As to claim 18, see rationale addressed in the rejection of claim 4 above. 

14. As to independent claim 26, see rationale addressed in the rejection of claim 12 
above. 
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1 5. As to claim 27, see rationale addressed in the rejection of claim 1 3 above. 

Claim Rejections - 35 USC § 103 

16. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

17. Claims 2 and 16 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Boebert, Gulick and of Janssen et al. (Janssen, US 6,512,529 B1). 

18. As to claim 2, Boebert and Click do not disclose ensuring that nexus graphical 
user interface element contains no areas of transparency. 

In the same field of endeavor, Janssen discloses a graphical user interface element 
contains no areas of transparency, (col.3, lines 23-25); 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick and the teaching of Janssen before him at the time the invention 
was made, to modify the secured execution environment interface taught by Boebert 
and Gulick to include opaque user interface mode taught by Janssen with the motivation 
being to ensure proper visibility of the secured execution environment. 
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19. As to claim 16, see rationale addressed in the rejection of claim 2 above. 

20. Claims 5-6, 7-8, 10-11, 14, 19-20, 21-22, 24-25 and 28-30 are rejected under 
35 U.S.C. 103(a) as being unpatentable over Boebert in view of Gulick and in 
further view of Ye et al. (Ye, "Trusted paths for browsers: An open-source 
solution to web spoofing", Feb 4, 2002). 

21 . As to independent claim 5, Boebert discloses a method for maintaining the 
security of data displayed on a display for a system comprising a secured execution 
environment and a second execution environment the method comprising: operating, on 
the system, the second execution environment concurrently with the secured execution 
environment, the secure execution environment comprising a nexus and the second 
execution environment comprising a different operating system (fig.2; col.4, lines 33-45; 
a multilevel trusted path operating system "30", "60" is running with a 
second/workstation operating system "40" to form a secure networked computer 
system; fig.6; col. 9, lines 7-16; during a secured/trusted execution environment, 
secured/trusted information overlays some parts of the second/workstation 
environment, displaying both information concurrently on the display), where the nexus 
and different operating system share a window manager (fig.5; col.8, lines 50-63; "video 
manager"); 
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displaying a grapliical user interface element , where said nexus graphical user 
interface element is associated with a process running on said secured execution 
environment (col.4, lines 4-15). Boebert and Gulick do not specifically disclose storing 
and display a nexus-user secret associated with said secured execution environment. 

In the same field of endeavor, ye, discloses storing and display a nexus-user secret 
associated with said secured execution environment (Section 4.2 "Synchronized 
random dynamic boundaries"). 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick and Ye before him at the time the invention was made, to modify the 
secured execution environment interface taught by Boebert and Gulick to include 
synchronized random dynamic boundaries taught by Ye with the motivation being to 
provide an effective trust judgment about the identity of a graphic interface element in a 
human-computer interaction environment. 

22. As to claim 6, Ye discloses accepting a user nexus-user secret display indication; 
and displaying said nexus-user secret (Section 4.2 "Synchronized random dynamic 
boundaries"; the nexus-user secret disclosed here is having trusted and untrusted color 
borders representing each of the nexus and the second execution environments). 
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23. As to independent claim 7, Boebert discloses a method for maintaining the 
security of data displayed on a display for a system comprising a secured execution 
environment and a second execution environment the method comprising: operating, on 
the system, the second execution environment concurrently with the secured execution 
environment, the secure execution environment comprising a nexus and the second 
execution environment comprising a different operating system (fig.2; col.4, lines 33-45; 
a multilevel trusted path operating system "30", "60" is running with a 
second/workstation operating system "40" to form a secure networked computer 
system; fig. 6; col. 9, lines 7-16; during a secured/trusted execution environment, 
secured/trusted information overlays some parts of the second/workstation 
environment, displaying both information concurrently on the display), wherein the 
nexus and different operating system share a window manager (fig.5; col.8, lines 50-63; 
"video manager"); 

accepting at least two graphical data elements of said nexus, each associated 
with a process running on said secured execution environment, for display on said 
display; and displaying at least two graphical user interface elements of said nexus, 

each of said nexus graphical user interface elements comprising one of said nexus 
graphical data elements (col. 6, lines 52- 56). Boebert and Gulick do not disclose a 
common graphical user interface decoration. 
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In the same field of endeavor, Ye discloses a common graphical user interface 
decoration (Section 4.2 "Synchronized random dynamic boundaries"; same window 
borders and styles for trusted environment). 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick and Ye before him at the time the invention was made, to modify the 
secured execution environment interface taught by Boebert and Gulick to include 
synchronized random dynamic boundaries taught by Ye with the motivation being to 
provide an effective trust judgment about the identity of a graphic interface element in a 
human-computer interaction environment. 

24. As to claim 8, Ye discloses common graphical user interface decoration 
comprises a colored border (Section 4.2, "Synchronized random dynamic boundaries"; 
Section 5.1 "Adding colored boundaries"). 

25. As to claim 10, Ye discloses changing said common graphical user interface 
decoration when a set time period elapses (Section 5.2 "Making the boundaries 
dynamic"; the "setlnterval" sets the time interval for a change in the graphical user 
interface decoration). 
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26. As to claim 1 1 , Ye discloses changing said common graphical user interface 
decoration when a user decoration change indication is received (Section 5.2 "Making 
the boundaries dynamic"; the "example-changeBorder.js" script that is in charge of the 
border style is set by a user). 

27. As to claim 14, Boebert discloses displaying each of said nexus graphical user 
interface element on said display completely on a display, such that no part of said 
nexus graphical user interface element is obscured by a graphical user interface 
element associated with said second execution environment on said display (col. 5, lines 
33-43; no parts of the nexus GUI is obscured because the nexus GUI is "overlaid" on 
top of the screen display). Boebert and Gulick do not disclose each of said nexus 
graphical user interface elements comprises a common graphical user interface 
decoration. Storing a nexus-user secret associated with said secured execution 
environment; and displaying a nexus-user secret graphical user interface element 
comprising said nexus-user secret on said display. 

In the same field of endeavor. Ye discloses each of said nexus graphical user interface 
elements comprises a common graphical user interface decoration. Storing a nexus- 
user secret associated with said secured execution environment; and displaying a 
nexus-user secret graphical user interface element comprising said nexus-user secret 
on said display (Section 4.2 "Synchronized random dynamic boundaries"; same window 
borders and styles for trusted environment; the nexus-user secret disclosed here is 
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having trusted and untrusted color borders representing each of the nexus and the 
second execution environments). 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick and Ye before him at the time the invention was made, to modify the 
secured execution environment interface taught by Boebert and Gulick to include 
synchronized random dynamic boundaries taught by Ye with the motivation being to 
provide an effective trust judgment about the identity of a graphic interface element in a 
human-computer interaction environment. 

28. As to independent claim 19, see rationale addressed in the rejection of claim 5 
above. 

29. As to independent claim 21 , see rationale addressed in the rejection of claim 7 
above. 

30. As to claim 20, see rationale addressed in the rejection of claim 6 above. 

31 . As to claim 22, see rationale addressed in the rejection of claim 8 above. 



32. 



As to claim 24, see rationale addressed in the rejection of claim 10 above. 
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33. As to claim 25, see rationale addressed in the rejection of claim 1 1 above. 

34. As to claim 28, see rationale addressed in the rejection of claim 14 above. 

35. As to independent claim 29, Boebert discloses a system for maintaining the 
security of data displayed on a display, the system comprising: operating the second 
execution environment concurrently with the secured execution environment, the secure 
execution environment comprising a nexus and the second execution environment 
comprising a different operating system (fig.2; col.4, lines 33-45; a multilevel trusted 
path operating system "30", "60" is running with a second/workstation operating system 
"40" to form a secure networked computer system; fig.6; col.9, lines 7-16; during a 
secured/trusted execution environment, secured/trusted information overlays some 
parts of the second/workstation environment, displaying both information concurrently 
on the display); 

first storage in said secured execution environment for storing private title 
information for a graphical user interface element of said nexus, the nexus graphical 
user interface element being associated with a process running on said secured 
execution environment and a nexus-user secret associated with said secured execution 
environment; second storage in said second execution environment for storing public 
title information for said nexus graphical user interface element; a trusted window 
manager for displaying said nexus graphical user interface element on said display 
(col.5, lines 33-43; col.7, lines 20-25; col.8, lines 45-50; private title information is 
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contained in secret information, and the public title information is contained in the 
unclassified information in order to prevent data of different security level from being 
mixed), such that no part of said nexus graphical user interface element is obscured by 
a graphical user interface element associated with said second execution environment 
on said display(col.5, lines 33-43; no parts of the nexus GUI is obscured because the 
nexus GUI is "overlaid" on top of the screen display, wherein the nexus and different 
operating system share the trusted window manager (fig.5; col.8, lines 50-63; "video 
manager");). Boebert and Gulick do not disclose where said nexus graphical user 
interface element comprises a common graphical user interface decoration and said 
private title information. 

In the same field of endeavor. Ye discloses nexus graphical user interface elements 
comprises a common graphical user interface decoration (Section 4.2 "Synchronized 
random dynamic boundaries"; same window borders and styles for trusted 
environment), and private title information (Section 4.2 "Synchronized random dynamic 
boundaries", secret information such as the border colors, styles and intervals of the 
random changes are considered as private title because the private title is used only 
under a secured execution environment). 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick and Ye before him at the time the invention was made, to modify the 
secured execution environment interface taught by Boebert and Gulick to include 
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synchronized random dynamic boundaries taught by Ye with the motivation being to 
provide an effective trust judgment about the identity of a graphic interface element in a 
human-computer interaction environment. 

36. As to claim 30, Ye discloses displaying a nexus-user secret graphical user 
interface element comprising said nexus-user secret on said display (Section 4.2 
"Synchronized random dynamic boundaries"; the nexus-user secret disclosed here is 
having trusted and untrusted color borders representing each of the nexus and the 
second execution environments). 

37. Claims 9 and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Boebert in view of Gulick and in further view of Ye and Dhamija (Dhamija, 
"Hash visualization in user authentication", April 2000) 

38. As to claim 9, Boebert and Gulick do not disclose common graphical user 
interface decoration comprises one or more randomly selected images. 

In the same field of endeavor. Ye discloses a common graphical user interface 
decoration (Section 4.2 "Synchronized random dynamic boundaries"; same window 
borders and styles for trusted environment). 
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It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert and Gulick and Ve before him at the time the invention was made, to modify the 
secured execution environment interface taught by Boebert and Gulick to include 
synchronized random dynamic boundaries taught by Ye with the motivation being to 
provide an effective trust judgment about the identity of a graphic interface element in a 
human-computer interaction environment. 

Ye does not disclose using one or more randomly selected images. 

In the same field of endeavor, Dhamija discloses randomly selected images (Paragraph 
"A prototype image authentication system"); 

It would have been obvious to one of ordinary skill in the art, having the teaching of 
Boebert Gulick and Ye, and the teaching of Dhamija before him at the time the invention 
was made, to modify the secured execution environment reorganization interface taught 
by Boebert, Gulick and Ye to include random selected images taught by Dhamija with 
the motivation being to provide an easy to remember and hard to write down trust 
judgment about the identity of a graphic interface element in a human-computer 
interaction environment. 



39. 



As to claim 23, see rationale addressed in the rejection of claim 9 above. 
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Response to Arguments 

40. Applicant's arguments filed 02/09/201 0 have been fully considered but they are 
not persuasive. 

41 . Applicant argues that Boebert discloses an "either/or" operating modes, not a 
concurrent operating mode. 

In response to applicant's argument, Boebert discloses a secure networked computer 
system (col. 4, lines 32) which includes a workstation "40" running a first level execution 
environment and a multi-level computer "60" with a trusted path subsystem "30" running 
at least a second level execution environment, a user can invoke the second level 
execution environment while in the first level execution environment, when the second 
level execution environment is invoked, the first level execution environment is isolated 
from the second level execution environment. The first level execution environment and 
the second execution environment are running concurrently on the networked 
computer system in the sense that during the isolation of the first level execution 
environment, the first level execution environment is still running even though the first 
level execution environment is isolated from the second level execution environment 
(fig. 2; col. 6, lines 60- col.7, lines 11). The applicant appears to indicate concurrency 
requires the execution environments to interact with each other in parallel. However, as 
defined by the Microsoft Press computer dictionary third edition (ISBN 1 -57231 -446-X) 
that "concurrent execution" is [t]he apparently simultaneous execution of two or more 
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routines or programs... [carried out by] tlireads of execution or by using multiple 
processors. 

42. Applicant argues that Boebert does not disclose the two operating systems share 
a window manager. 

In response to applicant's argument, Boebert discloses having both a secure/trusted 
execution environment and a second/workstation execution environment sharing a 
video manager "34", wherein a video multiplexer "76" within In the video manager "34" 
is used during the second/workstation execution environment, and a video RAM "74" 
within in the video manager "34" is used during the secure/trusted execution 
environment (fig.5; col.8, lines 50-63). Wherein the video data from the two execution 
environments shares the same video manager resource for the purpose of 
synchronizing and displaying both video data to be displayed on a same display though 
the video manager "34" (col.9, lines 7-16). 

43. Applicant may alleviate the current prior art rejection by specifying the linkage 
and the activation between the two execution environments (application spec, pg.15-16, 
par.[0061], last 5 lines). 

Conclusion 

44. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to HAOSHIAN SHIH whose telephone number is (571 )270- 
1257. The examiner can normally be reached on m-f 0730-1700. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kieu Vu can be reached on (571) 272-4057. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

HSS 

/Kieu Vu/ 

Supervisory Patent Examiner, Art Unit 2173 



